DNSSEC vaildation fails with SERVFAIL

I am using Knot Resolver in TLS_FORWARD mode to Cloudflare's 1.1.1.1 resolver.

I get the issue, that since some recent change in Turris OS, quite often queries for DNSSEC-enabled domains fail, most likely because of some invalid state cached.

Used version: 2.3.0

https://gist.github.com/patryk/9b0a655a5ff85b104a4ea4820829f194 - verbose logs and config file.

Edited Jun 15, 2018 by Patryk Szczygłowski

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

Admin message

Admin message

DNSSEC vaildation fails with SERVFAIL